Technical and Organisational Measures

1.       Purpose of this Page

This page contains a list of the technical and operational measures which are applicable as a standard. The actual measures taken depend on the Service and the location of processing concerned for reasons that not all measures are relevant for all Services and locations. Worldline Sweden AB guarantees it has for all Services and locations the necessary adequate technical and operational measures included in the list below following a Data Protection Impact Assessment.  The measures are designed to:

The page also contains a list of subcontractors used by Worldline Sweden to deliver its services. Worldline Sweden ensures that all its subprocessors have provided adequate guarantees on the protection of personal data they process on our behalf.

Worldline Sweden commits to continuous monitoring the effectiveness of its information safeguards and to a yearly compliance audit by a Third Party to provide assurance on the measures and controls in place.

 

2.       Technical And Organisational Measures

A.        People, awareness and HR:

B.        Physical Security and paper records:

Compliance with the Group Worldline Physical and Environmental Security policy:

C.        Remote end user device are protected:

The remote users are working with laptop and desktop on Worldline secured network maintained by Global IT for the Worldline Group. Following security measures are incorporated in addition:

D.        Remote Access Security

2-factor authentication is used in general for remote access to the critical Worldline target systems. If the source of the remote connection is a Worldline Sweden controlled system then device authentication based on a certificate on the device is implemented. If the source is not under Worldline control, it should connect to a virtual desktop system.

Any other set up of connections needs to be upfront approved by the security department.

E.        Generic security measures are a.o.:

F.        Access control to Personal Data

Employees with access to private data can only access the data that are necessary for the purpose of the activities under their responsibility. Access authorisation is provided based on the ‘need to know’ and ‘need to access’ and is either role based or name based.  Access logs are in place and the responsibility for access control is assigned.

Following measures are in place:

G.        Security and confidentiality of personal data

Based on a risk assessment (and if required an additional DPIA) Worldline Sweden will ensure a level of security appropriate to the risk, including inter alia as appropriate:

H.        Organization control

The Data Processor shall maintain its internal organization in a manner that meets the requirements of the applicable legislation and the Data controller requirements on data security. This shall be accomplished by:

 

3.       Used Sub-Contractors

Worldline Sweden uses the following sub-contractors to provide its services: